Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Background 01
to risk maturity
models
●●
O
IG
T
●●
FO
●●
AT
R
EP
●●
L
D
Misunderstandings:
U
●●
C
Introduction
Megan, a quality manager at an NGO, had been given a formidable task
and felt lost. Using the information contained in this chapter, Megan
learnt to understand the way that risk maturity models evolved away from
the capability maturity models that lead to Six Sigma and other concepts in
8 Risk Maturity Models
quality management that she was more familiar with. She did not feel lost
anymore but understood the direction she needed to take with risk maturity.
She even had a few misconceptions cleared up along the way.
The purpose for this background chapter is to start by clarifying the basic
concepts and definitions behind risk maturity models and how they are con-
nected to the organization’s need to assess risk management effectiveness.
We trace how, since 1997, risk maturity models have evolved away from
their parent, the capability maturity model. We learn how risk maturity
models have expanded to cover multiple risk-related capabilities other than
just process. We clear up some common misunderstandings to clarify lan-
guage and to avoid things that should not deter organizations from ‘moving
up the risk maturity curve’. This enables us to understand the benefits and
potential in these models, which is covered in Chapter 2.
C
R
O
M
AT
one step at a time will help to compare, tailor, design and enhance your risk
R
EP
ER
IA
O
L
D
over time.
PY
A maturity model uses a model of some sort to order its subject matter
N
R
O
M
AT
R
ER
lies in some form of progression over time, rather than a creation event
IA
O
L
D
at one point in time. It harks back to the adage ‘Rome was not built in
U
a day’.
C
TI
The model often takes the form of a ladder, continuum or set of structured
ascending levels or classes describing content that is evolving, developing or
adding more sophisticated qualities over time. The content subject area can
vary and may represent almost anything. It may be actions, objects or things
but it typically includes progressive ways of doing something, characteristics
of something, initiatives, practices and processes.
Maturity models are often dubbed ‘road maps’ for planning and imple-
mentation purposes. This signifies that maturity models attempt to transform
content that may be complex and difficult into a more simplified actionable
system to ‘road map’ improving, desired, anticipated, typical or logical
evolutionary paths for organization actions.
It is important to note that whilst maturity model evaluations may out-
line anticipated, typical, logical and desired evolutionary paths, these paths
10 Risk Maturity Models
R
O
M
AT
R
as to how complete they are at any current point in time (as-is) or can be at
EP
ER
L
D
interaction of many tangibles. These may change over time and may be
U
R
O
IG
M
AT
R
what commonly defines the shared components for all modern capability
EP
ER
L
D
et al, 2005).
U
We return to this point later, but what is important to note here is that
C
TI
the original software sector and its followers have a quite narrow definition
O
N
at work, would I be able to quantify (count) and qualify (rate) these behav-
PY
R
O
IG
confuse.
FO
Capability on the other hand, within our context here, involves the
R
M
AT
R
ER
L
D
resources to enable risk owners to effect risk action plans to which they
O
PY
R
O
IG
T
T
R
term of convenience. We take the elements cited by what ISO 31000 calls
PY
R
O
IG
M
AT
R
The more correct full term should be: a risk management system capability
EP
ER
L
D
Risk maturity must not be confused with the ‘maturity’ of a risk, as in the
maturation or realization of specific risks per se within the risk assessment
process. For example, it should not be confused with risks moving from
a watch-list status to a ‘closed/archived/treated’ status; or, moving from
the so-called ‘unknown-unknown risk’ to a ‘known-unknown’ status.
Risk management maturity is cited by ISO 31000:2009 in strategic terms.
It states that organizations should develop and implement strategies to
improve their risk management maturity alongside all other aspects of their
organization (Principle k). These strategies involve the planning and deploy-
ment of deliberately coordinated and resourced initiatives to improve
organization capabilities specific to the risk management system – including
its outcomes – in order to achieve maturity targets aligned to organization
objectives.
Background to Risk Maturity Models 15
R
O
M
AT
R
model.
EP
ER
R
IA
L
D
effectiveness
U
C
TI
Chris’s new boss came from an investment bank. The boss is fond of
expensive computer risk software and high-end financial risk and
quantification techniques and he introduces them to the construction firm.
These produce some novel and faster risk reports that seem to initially
improve the risk analysis and reporting steps in the risk process. However,
there is a lot of passive resistance from most of the line managers who are
not ready for such technology at this ‘small/lean/mean’ outfit. This passive
resistance has a GIGO-effect (garbage-in-garbage-out). This means the
overall rate of risk treatment effectiveness fell rather than rose. Chris feels
that the new boss has confused efficiency with effectiveness, to the
detriment of the latter.
C
O
PY
N
IG
things’ in terms of the risk management system capabilities that include the
T
H
FO
evaluating the capability improvement gaps between the current ‘as-is’ state
AT
R
and targeted future ‘to-be’ states of the risk management system over
EP
ER
IA
evidenced and reasonably assured for their adequacy and effectiveness (as
O
L
D
per ISO Guide 73: 3.8.2.6; ISO, 2009b). This is opposed to ‘doing things
U
C
tiveness (ie the risk of ineffective risk management) is arguably the greatest
O
N
work came from to establish trust). We defined the risk maturity model as
an evolutionary offshoot of the capability maturity model (often dubbed
CMM) that is adapted to the specific domain of risk management cap
abilities. Here, we quickly trace the origin of the risk maturity model since
1997, starting with its parent, the capability maturity model. In this way,
we appreciate the history of the risk maturity model as a proven but still
evolving tool that is still underutilized around the world and yet to release
its full potential in widespread global practice from developed to developing
countries.
We also appreciate that we can expect cross-fertilization to the enterprise
risk management (ERM) umbrella domain to continue into the future.
Therefore, if we want to design and improve our risk maturity models we
need to understand where to look. ERM practitioners will continue to
draw from new capability maturity models as the latter will continue to
represent a sister body of knowledge for inspiration and for potential
C
O
R
O
IG
H
FO
M
AT
R
ER
assess how managers could improve a single process originated with Walter
R
L
D
statistical quality control. The second pioneer was Watts S. Humphrey and
U
his 1989 book Managing the Software Process. The model was focused in
C
TI
This still forms the foundation of most maturity models today. By 1991, the
Carnegie Mellon University Software Engineering Institute (SEI) released
the Software Capability Maturity Model (commonly referred to as the ‘SEI
CMM’).
The SEI model increments process development from one level to the next
along a theoretical continuum of process maturity. It is process-centric and
the focus is on single-process capability improvement. The predictability,
effectiveness and control of an organization’s software processes are believed
to improve as the organization moves up five maturity levels. Within each of
these maturity levels are key process areas, which characterize that level.
Skipping levels is regarded as either not allowed or not feasible.
A typical SEI CMM has five Likert scale levels with titles and short
descriptors:
R
O
●●
T
M
AT
R
ER
L
D
time.
U
C
●● Managed – level 4 refers to the use of process metrics and other ways
TI
R
O
●●
AT
R
ER
IA
O
L
D
R
O
IG
(XP) computer programming methodology and Six Sigma (as we saw with
T
T
R
M
AT
R
ER
maturity model
R
IA
O
L
D
The SEI-style of capability maturity model has been adapted to the risk
TI
O
Alan understands that the utility company he works for is very process-
driven and relies on information technology (IT). For this reason, he had
checked out both the ISO/IEC 33001:2015 Information technology – Process
assessment standard and the SEI capability maturity models as they too
are quite process-driven. He thought they might function well as reference
material to independently assure by an annual audit the existing risk
maturity model that the ERM manager was stewarding. He decides that his
IT people might be interested in a capability maturity model for assessing
their own process effectiveness as an IT function. But he also feels that
the ERM manager is quite correct in saying that a capability maturity model
is too narrow for ERM purposes and that the maturity levels are not a great
C
O
fit to their utility. Alan also found support for the need for a multi-capability
PY
risk maturity model when he read McKinsey & Co for more guidance
N
R
O
(Pergler, 2012).
IG
T
H
FO
T
R
M
AT
R
EP
to capabilities
IA
O
L
D
including assets and exposures, but also strategic capabilities; risk manage-
ment can be one of these.’
McKinsey sees ERM as a journey for all business sectors over several
stages of a maturity spectrum. As of 2012, McKinsey believed that certain
sectors could be attributed to certain ascending maturity stages:
●●
O
R
O
IG
H
FO
or 5 is not known. The article (Pergler, 2012) does highlight our key point
ER
as to how far risk maturity models moved to expand from one to multiple
R
IA
O
capabilities. For McKinsey, then, key maturity-rating criteria are not just
L
D
U
Practitioner Alan has one correction to the McKinsey view. He feels that
the risk management discipline predates the adoption by financial institutions
in the 1980s, not the other way around. Risk management draws on roots in
the legal, insurance, project management as well as health and safety
disciplines that predate the 1980s and were not sector specific. Alan had
learnt a lot from an older mentor at his utility who, as an internal auditor,
had lots of experience assuring these specialty risk disciplines that were
important to utilities (and energy/oil and gas sectors) from the 1960s and 1970s.
Background to Risk Maturity Models 23
n
Ma
Business Risk
s Management
t ion
era
Op • Focus: Business risk
• Linkage to opportunity
Risk is crystalline
Management • Scope: Align strategy,
l processes, people,
cia • Focus: Financial and
an • Focus: Business risk technology and
Fin hazard risks and • Linkage to opportunity
C
knowledge on an
internal controls
O
• Scope: Treasury,
R
(risk-by-risk)
O
insurance and
IG
T
operations involved
H
FO
M
AT
R
ER
R
IA
L
D
has value-added to the organization over time. Figure 1.1 (Halliday, 2012)
U
C
R
O
IG
H
FO
Figure 1.2. This summarizes how capability maturity models have continued
AT
R
EP
ER
R
IA
O
2005 IT
Others
Background to Risk Maturity Models 25
evolving whilst risk maturity models branched off in 1997 into ERM and
ever-more risk-specialized offshoots to the modern day.
As in nature and biology, such evolutionary diversity is a most beneficial
aid for maturity modellers wanting to tailor their own risk maturity model
to their organization’s internal and external context. Continuous improve-
ment drives evolving risk maturity models akin to how biological evolution-
ary forces such as natural selection do the same for speciation. The diversity
in model approaches provides a rich range of source material for tailoring.
These sources continue to grow.
Now that we have some clearer vocabulary, let us turn our attention to
some important misunderstandings that need to be clarified before closing
this background chapter.
born equal
PY
N
R
O
IG
T
All risk maturity models are not born equal. As in nature and biology,
H
FO
individuals of the same species may appear superficially equal and/or the
T
R
same but their DNA and behaviour differ. If the highest purpose for a risk
AT
R
ER
then logic declares that at least some or a number of models are never going
R
IA
O
valuable for at least three reasons. First, starting your risk management
O
N
system somewhere and building on it over time is far better than doing
nothing at all and especially so for early or low maturity organizations.
Second, parts or attributes from any risk maturity model – even for one
capability or a level description – can be put to use or influence the tailoring
of your own model. Some part or whole of any model can be tailored and
adapted to suit your organization. As many models are conceptual in nature,
this lends itself to tailoring. Third, this inclusive attitude to content is a
positive. It helps drive continuous improvement for the risk discipline/
profession and for the common good.
In the end, you will find that you can tailor parts or the whole of some risk
maturity models far more appropriately to your organization than others.
Finding the right mix for you and your organization is the trick.
26 Risk Maturity Models
ing to work to a client brief clamouring for ‘best practice’ have often rued
O
those Tom Peters lauded companies of the 1980s. We must not forget that
R
O
IG
T
Enron was held up by McKinsey & Co and others as ‘global best practice’
H
FO
that the McKinsey-led ‘very best and brightest talent’ culture mindset that
EP
ER
was the vogue at the turn of the century led to the Enron collapse in a mire
R
IA
O
a discipline is still feeling its way, is somewhat naive and playing ‘catch-up’
to far more mature professions such as the internal audit, project manage-
ment or insurance professions. These related professions enjoy well-established
tools, techniques, trade media sponsorship, deep coffers from large profes-
sional memberships and bodies of knowledge that spell out their capabilities
to boards and executive or senior management (CxOs). The Project
Management Institute’s ‘Project Management – Body Of Knowledge’
(PM-BOK®) is one example of this. Other professions understand and have
a common agreement as to the set of core capabilities they bring to the table.
As yet, the risk ‘profession’ does not.
The claim to being ‘global’ is overused and needs to be used very
carefully. Standards that are ISO-designated through accredited national
bodies may legitimately claim to be ‘global’. However, most other so-called
Background to Risk Maturity Models 27
that garners stakeholder buy-in and they can be sustained over time.
PY
N
R
O
IG
T
regression or stasis
R
M
AT
R
EP
ER
IA
O
progress. Rather, it involves fits and starts and adaptations with readaptations
L
D
and competition. Think of the various species such as whales that evolved
TI
from land to pond to sea then back again over time. The evolution lesson is
O
N
Megan was interested in learning from the largest accidental marine oil
spill in history, the BP Gulf of Mexico 2010 disaster, when the Deepwater
Horizon offshore oil platform exploded. It caused 11 fatalities, reputation
loss, a share price cliff-fall and at least US $65 billion in damages and
reparations. She guessed that the oil giant rated its risk maturity level
very highly at close to 90% Level Index after 100+ years of safety and risk
management operations. Megan was shocked to discover when she
looked into the causes that the BP subcontractor involved in the blowout
had a nonsense risk register. This register was such a bad ‘copy-and-paste
check-the-box job’ that it registered icebergs and whale risks in the Gulf of
Mexico! Megan doubted that the cause could be swept under the carpet
as just individual human error and oversight by a few individuals intent on
C
O
taking safety and quality shortcuts. She is convinced this was not just one
PY
capability deficiency in, say, supplier management. She feels that the CEO
N
R
O
comment that led to his forced resignation (‘You know, I’d like my life back’)
IG
T
costly form of risk maturity regression when a highly risk mature organization’s
R
culture becomes too arrogant and complacent from the top-down and at
AT
R
EP
any point in-between. She understands now that risk maturity is not only
ER
R
L
D
U
C
TI
O
N
C a s e s t u dy R
egression case study: INFRACO,
infrastructure firm
dedicated ERM officers. See Chapter 5 on Designing a tailored risk maturity model,
PY
R
O
IG
T
H
FO
T
R
M
AT
R
ER
occur, the risk function must be alert and warn in advance of its potential or
R
IA
O
●●
TI
merger or acquisition;
O
●●
N
For the ‘yes’ case, no matter how well the risk maturity model is applied,
the risk and audit functions still need the right mix of people competencies
to apply their hand to the tool. People still remain the ERM drivers and
process the ‘hand-rail’ (meaning an inert guide of no use unless put to its
designed use by people). Any tool or technology will never make up for this.
For example, look at the demanding combination of qualities or competen-
cies that a risk director, chief risk officer (CRO) and risk function need to
have according to the Directors and Chief Risk Officers Group (DCRO) and
Governance Council (DCRO, 2013). They include multiple competencies
categorized under: risk management acumen, personal attributes, business
acumen, education, and experience. Tool-use does not at face value figure
prominently here.
For the ‘no’ case, a risk maturity model tool is a powerful enabler – if not
an ERM driver. This is not to say that a risk maturity or any model will
guarantee organization success – no single model will guarantee this.
C
O
ness. Look at the huge number of tools cited in ISO/IEC 31010:2009 (ISO,
N
R
O
IG
2009c). If the risk and management disciplines accept such a brilliant range
T
of tools just for the risk assessment process alone then there surely is no
FO
issue with adding a tool to road map a wider range of capabilities (including
R
M
AT
R
ER
generally want what is useful and works today – perfection can wait for
R
L
D
Summary
This background chapter clarifies the basic concepts and definitions behind
risk maturity models and how they are connected to the organization’s need
to assess risk management effectiveness. We trace how risk maturity models
have, since 1997, evolved away from their parent, the capability maturity
model and the SEI CMM. We learn how risk maturity models have expanded
to cover multiple risk-related capabilities other than just process. We clear up
some common misunderstandings regarding risk maturity models: being
treated equally, so-called ‘global best practice’, progression without regres-
sion or stasis states, and their status as a tool.